1978481 - Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing 20250620-a81354b1b61e (--enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(ElementAt(aIndex = 0, aLength = 0)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

#0 0x5a256c31cb55 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x5a256c31cb55 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
#2 0x5a256c31cb55 in mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:77:3
#3 0x7ecba60fbb96 in ElementAt /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1214:7
#4 0x7ecba60fbb96 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1251:12
#5 0x7ecba60fbb96 in FirstRangeRef /builds/worker/checkouts/gecko/editor/libeditor/AutoClonedRangeArray.h:138:66
#6 0x7ecba60fbb96 in mozilla::HTMLEditor::AutoMoveOneLineHandler::Prepare(mozilla::HTMLEditor&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5874:51
#7 0x7ecba61f9cbc in operator() /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:242:45
#8 0x7ecba61f9cbc in mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement(mozilla::HTMLEditor&, mozilla::dom::Element&, mozilla::dom::Element&, mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>> const&, mozilla::Maybe<nsAtom*> const&, mozilla::dom::HTMLBRElement const*, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/WhiteSpaceVisibilityKeeper.cpp:206:28
#9 0x7ecba60e56d6 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:5626:9
#10 0x7ecba60c971d in operator() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4399:16
#11 0x7ecba60c971d in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteNonCollapsedRange(mozilla::HTMLEditor&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:4363:7
#12 0x7ecba60c62c9 in mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run(mozilla::HTMLEditor&, mozilla::LimitersAndCaretData const&, short, short, nsRange&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:338:51
#13 0x7ecba60da1a6 in mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteNonCollapsedRanges(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::HTMLEditor::AutoDeleteRangesHandler::SelectionWasCollapsed, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:3197:16
#14 0x7ecba60cefa3 in mozilla::HTMLEditor::AutoDeleteRangesHandler::Run(mozilla::HTMLEditor&, short, short, mozilla::AutoClonedSelectionRangeArray&, mozilla::dom::Element const&) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:1204:47
#15 0x7ecba60cd1bf in mozilla::HTMLEditor::HandleDeleteSelection(short, short) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorDeleteHandler.cpp:506:61
#16 0x7ecba5f7f5b4 in mozilla::EditorBase::DeleteSelectionAsSubAction(short, short) /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:4862:9
#17 0x7ecba6071bf8 in mozilla::HTMLEditor::InsertElementAtSelectionAsAction(mozilla::dom::Element*, mozilla::EnumSet<mozilla::HTMLEditor::InsertElementOption, unsigned int>, nsIPrincipal*) /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:2204:21
#18 0x7ecba609b9c7 in mozilla::InsertTagCommand::DoCommandParam(mozilla::Command, nsTSubstring<char16_t> const&, mozilla::EditorBase&, nsIPrincipal*) const /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditorCommands.cpp:1331:13
#19 0x7ecb9f2aca5d in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, mozilla::dom::TrustedHTMLOrString const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5798:27
#20 0x7ecba0c8b39f in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:4181:36
#21 0x7ecba110b76f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306:13
#22 0x7ecba7efba17 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
#23 0x7ecba7efba17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:12
#24 0x7ecba7f1a478 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#25 0x7ecba7f1a478 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:669:10
#26 0x7ecba7f1a478 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3287:16
#27 0x7ecba7efa7f9 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
#28 0x7ecba7efa7f9 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:471:13
#29 0x7ecba7efbb8d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:629:13
#30 0x7ecba7efd891 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
#31 0x7ecba7efd891 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:696:8
#32 0x7ecba804006a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#33 0x7ecba0c5d0a2 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventHandlerBinding.cpp:65:37
#34 0x7ecba1fe7497 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
#35 0x7ecba1fe5e3e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:200:12
#36 0x7ecba1f9dbd0 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1392:22
#37 0x7ecba1f9fbd0 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1698:12
#38 0x7ecba1f9eb29 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1603:35
#39 0x7ecba1f86f19 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:466:5
#40 0x7ecba1f86f19 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#41 0x7ecba1f84a28 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#42 0x7ecba1f8b8e2 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1261:11
#43 0x7ecba1f92ae0 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:0:0
#44 0x7ecb9f72fb17 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1542:17
#45 0x7ecba1fac222 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:214:13
#46 0x7ecba1effac7 in DispatchEventOnTarget /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:89:12
#47 0x7ecba1effac7 in mozilla::AsyncEventDispatcher::DispatchEventOnTarget(mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::ChromeOnlyDispatch, mozilla::Composed) /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:75:3
#48 0x7ecba1eff863 in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:62:5
#49 0x7ecb9b3d414a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#50 0x7ecb9b3c1a58 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
#51 0x7ecb9b3c8b1d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1310:20
#52 0x7ecb9b3c6658 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1133:15
#53 0x7ecb9b3c6c76 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#54 0x7ecb9b3e4d01 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#55 0x7ecb9b3e4d01 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#56 0x7ecb9b403b9b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#57 0x7ecb9b40e498 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#58 0x7ecb9cab04fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#59 0x7ecb9c993d74 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#60 0x7ecb9c993d74 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#61 0x7ecb9c993d74 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#62 0x7ecba5cc9d36 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#63 0x7ecba5ea184b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#64 0x7ecba7c3e63d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:20
#65 0x7ecb9c993d74 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#66 0x7ecb9c993d74 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#67 0x7ecb9c993d74 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#68 0x7ecba7c3cbae in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:585:34
#69 0x5a256c30bcb1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22

Comment 1

[Mayank Bansal]

Got a crash on nightly from the testcase: https://crash-stats.mozilla.org/report/index/bc6773c0-3b3d-4b2f-aef3-234270250722#tab-bugzilla

Comment 2

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Well, the crash occurred here and the method is called by here. So, rangesToWrapTheLine should be not empty at least when it's created. I.e., here could remove all ranges.

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250721154325-bca22a6d0402.
The bug appears to have been introduced in the following build range:

Start: d1ed8b49f598519f4958b352d1ebfc2769cf07db (20250616222230)
End: 30918d85080a0392dfc7d61f458f12378b15333a (20250617022918)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d1ed8b49f598519f4958b352d1ebfc2769cf07db&tochange=30918d85080a0392dfc7d61f458f12378b15333a

Comment 4

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Oh, that hits this assertion.

And surprisingly, this is a regression of bug 1951038??

Comment 5

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Ah, I got it. AutoTrack* scope may be changed by the rough outdenting in the patch.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: Bug 1978481 - Restore the scope of `trackAfterRightBlockChild` in `WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement` r=m_kato!

Previously, there was a scope for that [1] but it was not intentionally
created. Therefore, the scope was deleted accidentally by outdenting
in bug 1951038.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1951038

Comment 8

[Pulsebot]

Pushed by masayuki@d-toybox.com:
https://github.com/mozilla-firefox/firefox/commit/3a5264095c42
https://hg.mozilla.org/integration/autoland/rev/b5c244bca2f4
Restore the scope of `trackAfterRightBlockChild` in `WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoDescendantLeftBlockElement` r=m_kato

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/53916 for changes under testing/web-platform/tests

Comment 10

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/b5c244bca2f4

Comment 11

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 12

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250723155040-c6c802b9d454.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.